[pve-devel] [PATCH cluster] Free certificate file after reading it
Thomas Lamprecht
t.lamprecht at proxmox.com
Tue Jul 24 10:29:18 CEST 2018
Am 07/23/2018 um 02:59 PM schrieb Stoiko Ivanov:
> Fix #1843
>
> Reading https://$host:8006/nodes repeadedly leads to pveproxy keeping a
> filedescriptor open for each node-certificate in the cluster and each request,
> thus eventually reaching its NOFile limit.
>
> In accordance with the SSLeay docs: https://metacpan.org/pod/Net::SSLeay
>
good catch...
> Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> ---
> Would it make sense to unify the certificate reading here with the methods we
> have in pve-common/src/PVE/Certificate.pm? It took me longer to find the bug,
> since I was focussed on the missing BIO_free in a method there.
>
> data/PVE/Cluster.pm | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/data/PVE/Cluster.pm b/data/PVE/Cluster.pm
> index 7569abc..6dc41ce 100644
> --- a/data/PVE/Cluster.pm
> +++ b/data/PVE/Cluster.pm
> @@ -1537,6 +1537,7 @@ sub read_ssl_cert_fingerprint {
> Net::SSLeay::BIO_free($bio);
> die "unable to read certificate from '$cert_path'\n";
> }
> + Net::SSLeay::BIO_free($bio);
but why not just doing free always (instead of having it now twice
here), alà:
my $cert = Net::SSLeay::PEM_read_bio_X509($bio);
Net::SSLeay::BIO_free($bio);
die "unable to read certificate from '$cert_path'\n" if !$cert;
>
> my $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
> Net::SSLeay::X509_free($cert);
>
More information about the pve-devel
mailing list